Identifying malicious activity using data complexity anomalies

ABSTRACT

Examples relate to identifying malicious activity using data complexity anomalies. In one example, a computing device may: receive a byte stream that includes a plurality of bytes; determine, for a least one subset of the byte stream, a measure of complexity of the subset; determine that the measure of complexity meets a predetermined threshold measure of complexity for a context associated with the byte stream; and in response to determining that the measure of complexity meets the threshold, provide an indication that the byte stream complexity is anomalous.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of International Application No.PCT/US2015/067222, with an International Filing Date of Dec. 21, 2015,which is incorporated herein by reference in its entirety.

BACKGROUND

Computer networks and the devices that operate on them often experienceproblems for a variety of reasons, e.g., due to misconfiguration,software bugs, and malicious network and computing device attacks.Detecting and preventing the use and spread of malicious software, forexample, is often a priority for computer network administrators.Malicious software is increasingly designed to avoid detection usingincreasingly sophisticated methods.

BRIEF DESCRIPTION OF THE DRAWINGS

The following detailed description references the drawings, wherein:

FIG. 1 is a block diagram of an example computing device for identifyingmalicious activity using data complexity anomalies.

FIG. 2A is an example data flow for identifying thresholds for datacomplexity.

FIG. 2B is a block diagram of an example computing device foridentifying thresholds for data complexity.

FIG. 3 is an example data flow for identifying byte streams havinganomalous complexity values.

FIG. 4 is a flowchart of an example method for identifying maliciousactivity using data complexity anomalies.

DETAILED DESCRIPTION

Anomalies in the expected complexity for streams of data, such as bytestreams being processed by a computer and/or transmitted across anetwork, may be indicative of potentially malicious data. For example,malicious files often attempt to hide malicious code within moretraditional code, e.g., using obfuscation. Obfuscated portions of codeare one example type of data that is more likely to be complex thanun-obfuscated portions of code. An expected measure of complexity may bedetermined for byte streams in a particular context, and the complexityof unknown byte streams may be compared to the expected measure ofcomplexity to determine whether an anomaly exists.

One way to measure the complexity of data is by using compressibility.Relatively simple portions of data may be compressed more easily, e.g.,to a smaller size, than more complex portions of data from the same datastream. For example, many compression algorithms compress data by takingadvantage of repeated data or patterns, which may occur often in certaincontexts, such as computer files or network packet fields. Another wayto measure complexity of data is using entropy, where data having highentropy is more likely to be complex than data having low entropy.

By way of example, a distribution of compressibility values, e.g.,compression ratios, for benign computer files may be gathered to createa threshold compressibility value, e.g., in standard deviations from themean compression ratio. Unknown computer files may be compressed and thecompression ratios may be compared to the threshold compressibilityvalue to determine whether an anomaly occurs. Computer files withanomalous complexity, or compressibility, values may trigger a varietyof responses, such as a security event notification or preventingtransmission of the anomalous computer file. Further details regardingthe identification of anomalous data complexity are described in theparagraphs that follow.

Referring now to the drawings, FIG. 1 is a block diagram of an examplecomputing device 100 for identifying malicious activity using datacomplexity anomalies. Computing device 100 may be, for example, a servercomputer, a personal computer, an intermediary network device, a mobilecomputing device, or any other electronic device suitable for processingdata. In the embodiment of FIG. 1, computing device 100 includeshardware processor 110 and machine-readable storage medium 120.

Hardware processor 110 may be one or more central processing units(CPUs), semiconductor-based microprocessors, FPGA, and/or other hardwaredevices suitable for retrieval and execution of instructions stored inmachine-readable storage medium 120. Hardware processor 110 may fetch,decode, and execute instructions, such as 122-128, to control theprocess for identifying anomalous data complexity. As an alternative orin addition to retrieving and executing instructions, hardware processor110 may include one or more electronic circuits that include electroniccomponents for performing the functionality of one or more instructions.

A machine-readable storage medium, such as 120, may be any electronic,magnetic, optical, or other physical storage device that contains orstores executable instructions. Thus, machine-readable storage medium120 may be, for example, Random Access Memory (RAM), an ElectricallyErasable Programmable Read-Only Memory (EEPROM), a storage device, anoptical disc, and the like. In some implementations, storage medium 120may be a non-transitory storage medium, where the term “non-transitory”does not encompass transitory propagating signals. As described indetail below, machine-readable storage medium 120 may be encoded with aseries of executable instructions: 122-128, for identifying anomalousdata complexity.

As shown in FIG. 1, the computing device 100 executes instructions 122to receive a byte stream 132 that includes a plurality of bytes. FIG. 1depicts the byte stream 132 being provided by a first source device 130,which may be any device capable of communicating data signatures to thecomputing device 100, such as a data storage device, separate computingdevice, or user input device. The actual data included in the bytestream 132 may vary depending on the context. For example, the bytestream 132 may be a computer file, a network packet, a stream of networkpackets, or content included in a portion of a network packet.

The computing device 100 executes instructions 124 to determine, for atleast one subset of the byte stream 132, a measure of complexity of theat least one subset. In some implementations, the subset includes thewhole byte stream 132. For example, the computing device 100 maydetermine a measure of complexity for all data included in the bytestream 132. In some implementations, the computing device 100 maydetermine complexity for multiple proper subsets of the byte stream 132.For example, in the context of a network packet, the computing devicemay determine complexity for different portions of the network packet,such as the body, header, footer, and/or source device address. Thecomputing device 100 may, in some situations, use predeterminedspecifications to determine which subset(s) to determine measures ofcomplexity for, e.g., based on the context of the byte stream 132. Forexample, the network packet context may trigger the example complexitydeterminations above, e.g., for predetermined portions of the networkpacket.

In some implementations, measures of complexity are based on a measureof compressibility. For example, the computing device 100 may executeinstructions to compress the subset(s) of the byte stream 132 to obtaina compression ratio. When compressing subset(s) of the byte stream 132,subsets have a pre-compression size, e.g., 1,000 bytes, and apost-compression size and compression ratio that depends upon the bytesincluded in the subset(s) and the compression algorithm(s) used. Thetype of compression, e.g., compression algorithm used, may vary. By wayof example, the computing device 100 may use zlib compression tocompress subset(s) of the byte stream 132. Other compression algorithmsmay also be used, for example, bz2, Lempel-Ziv-Markov chain (lzma), andLempel-Ziv-Welch (lzw).

The computing device 100 executes instructions 126 to determine that themeasure of complexity meets a predetermined threshold measure ofcomplexity for a context associated with the byte stream. Thepredetermined threshold measure of complexity may be based on a varietyof things. In some implementations, the threshold measure of complexityis based on previously measured complexity values for at least one otherbyte stream. For example, the threshold may be based on previouslymeasured compression ratios for byte streams that were previouslyidentified as benign, such as benign computer files or network packets.In some implementations, the threshold measure of complexity may bedetermined based on a predetermined byte stream specification for acontext associated with the byte stream. For example, particular networkpacket fields may have an expected measure of complexity that may bespecified in a specification for those corresponding network packetfields. Thresholds may be determined in other ways as well, e.g., byanalyzing network protocol or data element descriptions of particulartypes of data.

The context associated with the byte stream may be determined in avariety of ways and, in some implementations, multiple contexts may beassociated with a single byte stream. The context may be a type of bytestream and/or type of information included in the byte stream. Forexample, a network packet may be included in the network packet context,while an executable file may be in the executable file context. Anetwork packet may also include subsets, or portions, that have theirown context. For example, the body of a network packet may be onecontext, e.g., the network packet body context, while HTML code includedin the body of a network packet may be another context that includes thesame data, e.g., the HTML context. The HTML context may also be found inother types of data streams, such as executable files that include HTMLcode. Expected complexity values may vary in different contexts, andcomplexity thresholds may also be determined and used within theircorresponding context(s). As noted above, the subset of the byte streamselected by the computing device 100 may also be selected based on itscontext.

The type of threshold used may vary, e.g., depending on the context, apredetermined specification, or previously measured complexity values.For example, in some implementations the threshold is a distributionthreshold, where prior analysis of benign byte streams results in anexpected range of complexity, or compressibility, and the threshold is anumber of standard deviations above the mean threshold. Other methodsfor determining thresholds and whether a byte stream meets the thresholdalso include using, for example, using local outlier factors and densitybased clustering. Thresholds may have upper and/or lower bounds. Forexample, data that is less complex than expected may indicate maliciousactivity, e.g., in a situation where malicious activity includes“fuzzing” data, which may be performed by users attempting to determineboundaries of parsing in various contexts and fields. As used herein,meeting a threshold includes meeting or exceeding an upper and/or alower threshold.

In some implementations, threshold(s) and byte stream 132 subset(s) maybe used and/or selected based on context. For example, when processingnetwork packets, the computing device 100 may specifically pull the bodyof a network packet as one subset for threshold complexity comparison.The threshold(s) used may also depend upon the context, e.g., in thenetwork packet context, the measure of complexity determined for thebody of a network packet may be compared to a threshold that wascalculated using the bodies of benign network packets, while the measureof complexity determined for the header of a network packet may becompared to a threshold that was calculated using benign network packetheaders.

The computing device 100 executes instructions 128 to provide anindication 134 that the byte stream 132 complexity is anomalous inresponse to determining that the measure of complexity meets thethreshold. The example computing device 100 provides the indication to asecond device 140, which may be any device suitable for receivingcommunications from the computing device 100, such as another computingdevice, a storage device—e.g., for logging, or a security event handler.

FIG. 2A is an example data flow 200 for identifying thresholds for datacomplexity. FIG. 2B is a block diagram of an example computing device250 for identifying thresholds for data complexity. The computing device250, hardware processor 260, machine-readable storage medium 270, andsource device 280 may be the same as or similar to the computing device100, hardware processor 110, machine-readable storage medium 120, andsource device 130 of FIG. 1.

The data flow 200 depicts the determination of threshold measures ofcomplexity for byte streams in a variety of contexts using a complexitymeasuring device 210, which may be implemented by a computing device,such as the computing device 100 described above with respect to FIG. 1or the computing device 250 of FIG. 2B. The example data set, bytestream 202, may be provided by any input device, such as a separatecomputing device or user input.

As shown in FIG. 2B, the computing device 250 executes instructions 272to obtain a plurality of benign byte streams, each benign byte streambeing associated with a particular context of a plurality of byte streamcontexts. In the example data flow 200, benign byte streams 202 areprovided to the complexity measuring device 210. The each benign bytestream 202 may include, for example, a stream of bytes as indicated inthe example byte stream 204, which includes an unspecified number ofbytes from 1-N. Benign byte streams 202 may be, for example, networkpackets that are previously identified as benign, or likely to bebenign.

As noted above, the context associated with a benign byte stream may, insome situations, involve more than one feature of the byte stream. Forexample, computer files may have general computer file context, whiledifferent types of files have their own more specific context as well,e.g., an executable computer file may be in both the computer filecontext and the executable computer file context, and the language theexecutable file is written in may also have its own context.

The computing device 250 of FIG. 2B executes instructions 274 todetermine, for each benign byte stream, at least one measure ofcomplexity for the byte stream, each measure of complexity beingdetermined based on a subset of the benign byte stream. In the exampledata flow 200, complexity for subsets of the benign byte streams 202 isdetermined using compressibility. Each of the byte stream subsets 206 iscompressed to obtain a compression ratio that is a ratio of thepre-compression size of the subset to the post-compression size of thesubset. Each of the subsets 206 also has an associated contextindicating which portion of the benign byte stream the subset includesand/or what type of data is included in the subset.

For example, StreamSubsetA includes HTML code that was compressed to aratio of 2.07, StreamSubsetB includes network packet header informationthat was compressed to a ratio of 1.58, StreamSubsetC includes networkpacket header information that was compressed to a ratio of 1.62,StreamSubsetD includes HTML code that was compressed to a ratio of 2.15,StreamSubsetE includes executable code, such as javascript, that wascompressed to a ratio of 4.35, StreamSubsetF includes HTML code that wascompressed to a ratio of 2.11. As noted above, complexity values may bedetermined for a variety of subsets and for a variety of contexts.

The computing device 250 of FIG. 2B executes instructions 276 todetermine a threshold measure of complexity for the particular contextbased on measures of complexity determined for the benign byte streams.The determination may be made in a variety of ways. In the example dataflow 200, the complexity measuring device 210 may determine thresholdsfor one or more byte stream contexts. For example, the byte streamsubsets that include HTML code have an average compressibility of 2.11,so those values may be used to create a threshold, e.g., the thresholdfor HTML code may be two standard deviations away from the distributionof HTML compression ratios observed for the benign byte streams 202. Asnoted above, other methods for determining thresholds using complexityvalues, including density based clustering and local outlier methods,may be used.

In the example data flow 200, the complexity threshold data 208, e.g.,the data specifying threshold information for various contexts, isstored in complexity data storage 215. This information may be used, forexample, by an intrusion prevention device or other data analyzingdevice to determine whether unknown byte streams have anomalouscomplexity values.

New benign byte streams may be periodically added to a system thatimplements the process for identifying thresholds for data complexitydescribed above. In this situation, thresholds may be updated andadjusted, if necessary, as new complexity values are acquired.

In some implementations, the computing device 250 of FIG. 2B may executeinstructions to receive a new byte stream, e.g., one for which thecomputing device 250 will determine whether the complexity threshold ismet. In this situation, the computing device 250 may executeinstructions to determine that the new byte stream is associated withthe particular context for which the threshold was determined. Forexample, the new byte stream may be determined to be in the HTMLcontext.

In situations where the computing device 250 determines the a measure ofcomplexity for the new byte stream meets the threshold measure ofcomplexity for the particular context, the computing device 250 mayprovide an indication the that new byte stream includes data havinganomalous complexity in response to the determination that the newmeasure of complexity meets the threshold. For example, when using thecompression threshold for HTML content, the computing device 250 maysend an anomalous complexity notification in response to determiningthat the compressed HTML code of the new byte stream meets the thresholdfor the HTML context. The notification may be sent, for example, to adevice for logging, an administrator device, and/or to a security eventhandler.

In situations where the computing device 250 determines that a measureof complexity for the new byte stream does not meet the thresholdmeasure of complexity for the particular context, the computing device250 may provide an indication that the new byte stream is benign inresponse to the determination. For example, in a context where thecomputing device 250 is analyzing executable computer files, determiningthat a compressed executable file meets a predetermined threshold forexecutable code may result in a notification being provided, e.g., to alog file or device, that the corresponding executable computer file isbenign.

While the example above, described with respect to FIGS. 2A and 2B,determines complexity thresholds based on previously measured values ofcomplexity, complexity thresholds may be determined in other ways. Forexample, complexity thresholds may be based on byte streamspecifications that are predetermined for a particular context or basedon user input.

FIG. 3 is an example data flow 300 for identifying byte streams havinganomalous complexity values. The uses for complexity thresholdsdetermined for various byte stream contexts may vary and may depend uponthe contexts of the byte streams. In the example data flow 300,complexity thresholds 310 determined using the methods described aboveare used to identify potentially malicious byte streams based on thecomplexity of the data included in the byte streams.

The example data flow 300 includes an intermediary network device 320,which may be any device capable of using the complexity thresholds 310to identify potentially malicious byte streams. Examples include, forexample, software defined network elements, server computers, personalcomputers, or network switches. The example intermediary network device320 may be, for example, a software defined network element thatincludes programmable hardware, such as an FPGA, and is configured tooperate as a network switch.

In this example use case, the intermediary network device 320 receives,from a source device 340, one or more network packets 302 which includea byte stream 304. The source device 340 may be any device capable ofnetwork communications, e.g., a network router or switch, a servercomputer, or a personal computer. In some situations, the byte stream304 may be span multiple network packets 302 and may, in someimplementations, include the data comprising the network packets 302.Examples include files split across multiple network packets and codeincluded in particular portion of a single network packet or spreadacross multiple network packets in a particular portion of each networkpacket.

The intermediary network device 320 uses the complexity thresholds 310to determine whether the byte stream 304 has a complexity value thatmeets a threshold and, as such, is potentially malicious. For example,the byte stream 304 may include javascript, and the intermediary networkdevice 320 may compress the javascript to obtain a compression ratio forthe javascript. The intermediary network device 320 may then compare theobtained compression ratio to a threshold compression ratio forjavascript included in the complexity thresholds 310 obtained from thecomplexity data storage 215.

In a situation where the complexity of the javascipt is within expectedmeasures, e.g., the compressed javascript does not meet/exceed athreshold compression ratio, the network packet(s) 302 and included bytestream 304 may be processed normally, e.g., by forwarding the networkpacket(s) 302 to their intended destination, e.g., destination device350.

In situations where a threshold measure of complexity is met, theintermediary network device 310 may perform a variety of actions, e.g.,depending upon its configuration. In the example data flow 300, theintermediary network device 320 is configured to send a security eventnotification 306 to a security event handler 360. The notification 306may include a variety of information, such as the identified byte stream304, the network packet(s) 302 that include the byte stream 304, anidentifier of the context, and/or information related to the sourcedevice 340. Other example actions taken by the intermediary networkdevice 320 in response to identifying a byte stream having anomalousdata complexity may include preventing transmission of the networkpacket(s) 302 that include the byte stream 304 and/or preventingtransmission of future network packets received from the same sourcedevice 340 or from a same source identified in the network packet(s)302.

FIG. 4 is a flowchart of an example method 400 for identifying maliciousactivity using data complexity anomalies. The method 400 may beperformed by a computing device, such as a computing device described inFIG. 1 or 2B. Other computing devices may also be used to execute method400. Method 400 may be implemented in the form of executableinstructions stored on a machine-readable storage medium, such as thestorage medium 120, and/or in the form of electronic circuitry, such asa field-programmable gate array (FPGA) and/or an application-specificintegrated circuit (ASIC). Combinations of one or more of the foregoingprocessors may also be used to identify signatures for data sets.

At least one network packet is received (402). For example, a stream ofnetwork packets may be received from a computing device. The networkpackets may be received at a device designed to process the networkpackets, e.g., by forwarding them to their intended destination, or by adevice designed to analyze the network packets, e.g., aftertransmission.

A byte stream included in a subset of the at least one network packet isobtained, the subset of the network packet being associated with aparticular context of a plurality of contexts (404). For example, thebyte stream may be a computer file that is included in a particularsubset of multiple network packets. The subset of the network packet maybe the portion associated with computer file attachments, and theparticular context may be computer files, generally.

A measure of complexity is determined for the byte stream (406). Forexample, the computer file that was included in the network packets maybe compressed to obtain a compression ratio. The compression ratio maybe the measure of complexity for the computer file.

Whether the measure of complexity meets a threshold measure ofcomplexity for the particular context is determined (408). For example,the compression ratio of the computer file may be compared to athreshold compression ratio for the general computer file context. Insome implementations, the threshold measure of complexity for theparticular context is based on previously measured compressibilityvalues for at least one other byte stream associated with the particularcontext. For example, compression ratios of computer files known to bebenign may be used to generate a threshold compression ratio forcomputer files. In situations where the measure of complexity meets thethreshold measure of complexity, method 400 may include, for example,providing an indication that the network packet includes anomalous datain response to determining that the measure of complexity meets thethreshold. Other actions, such as those described with respect to FIG. 3above, may also be performed in response to the threshold complexitydetermination.

The foregoing disclosure describes a number of example implementationsfor identifying anomalous data complexity. As detailed above, examplesprovide a mechanism for identifying thresholds for data complexity invarious contexts and potential applications of a system that is capableof identifying anomalous data complexity.

We claim:
 1. A non-transitory machine-readable storage medium encodedwith instructions executable by a hardware processor of a computingdevice for identifying malicious activity using data complexityanomalies, the machine-readable storage medium comprising instructionsto cause the hardware processor to: receive a byte stream that includesa plurality of bytes; determine, for a least one subset of the bytestream, a measure of complexity of the subset; determine that themeasure of complexity meets a predetermined threshold measure ofcomplexity for a context associated with the byte stream; and inresponse to determining that the measure of complexity meets thethreshold, provide an indication that the byte stream complexity isanomalous.
 2. The storage medium of claim 1, wherein the at least onesubset of the byte stream is a subset including the whole byte stream.3. The storage medium of claim 1, wherein the hardware processordetermines measures of complexity for each of a plurality of propersubsets of the byte stream.
 4. The storage medium of claim 1, whereineach measure of complexity is based on a measure of compressibility. 5.The storage medium of claim 1, wherein each other byte stream isassociated with a particular context of a plurality of contexts, andwherein the received byte stream is associated with the particularcontext.
 6. The storage medium of claim 5, wherein the instructionsfurther cause the hardware processor to: select the at least one subsetof the byte stream based on the context associated with the receivedbyte stream.
 7. The storage medium of claim 1, wherein the thresholdmeasure of complexity is a distribution threshold.
 8. A computing devicefor identifying malicious activity using data complexity anomalies, thecomputing device comprising: a hardware processor; and a data storagedevice storing instructions that, when executed by the hardwareprocessor, cause the hardware processor to: obtain a plurality of benignbyte streams, each benign byte stream being associated with a particularcontext of a plurality of byte stream contexts; for each benign bytestream, determine at least one measure of complexity for the bytestream, each measure of complexity being determined based on a subset ofthe benign byte stream; and determine a threshold measure of complexityfor the particular context based on measures of complexity determinedfor the benign byte streams.
 9. The computing device of claim 8, whereinthe instructions further cause the hardware processor to: receive a newbyte stream; determine that the new byte stream is associated with theparticular context; determine that a new measure of complexity for thenew byte stream meets the threshold measure of complexity for theparticular context; and provide an indication the that new byte streamincludes data having anomalous complexity in response to thedetermination that the new measure of complexity meets the threshold.10. The computing device of claim 8, wherein the instructions furthercause the hardware processor to: receive a new byte stream; determinethat the new byte stream is associated with the particular context;determine that a new measure of complexity for the new byte stream doesnot meet the threshold measure of complexity for the particular context;and provide an indication the that new byte stream is benign in responseto the determination that the new measure of complexity does not meetthe threshold.
 11. The computing device of claim 8, wherein thethreshold measure of complexity is a threshold measure ofcompressibility that is based on measures of compressibility determinedfor the benign byte streams.
 12. The computing device of claim 8,wherein the hardware processor determines multiple threshold measures ofcomplexity for the particular context, each different threshold measureof complexity being based on measures of complexity determined fordifferent subsets of the benign byte streams.
 13. A method foridentifying malicious activity using data complexity anomalies,implemented by a hardware processor, the method comprising: receiving atleast one network packet; obtaining a byte stream included in a subsetof the at least one network packet, the subset of the network packetbeing associated with a particular context of a plurality of contexts;determining a measure of complexity for the byte stream; and determiningwhether the measure of complexity meets a threshold measure ofcomplexity for the particular context.
 14. The method of claim 13,wherein the measure of complexity meets the threshold measure ofcomplexity, and wherein the method further comprises: providing anindication that the network packet includes anomalous data in responseto determining that the measure of complexity meets the threshold. 15.The method of claim 13, wherein threshold measure of complexity for theparticular context is based on previously measured compressibilityvalues for at least one other byte stream associated with the particularcontext.